I can confirm that in version 3.0, error printing works. I do not have access to the server that is giving the error. I'm waiting for the IDP people to register my local machine for a more effective test. But what I did was configure my local machine as server with the problem and put the hardcoded SAML2 response in the code. I get the response in log. So now I can see the errors print:
(u'evp_signatures.c:368(xmlSecOpenSSLEvpSignatureVerify)', u'obj=rsa-sha256 msg=details=EVP_VerifyFinal: signature does not verify errno=18')
(u'evp_signatures.c:368(xmlSecOpenSSLEvpSignatureVerify)', u'obj=rsa-sha256 msg=details=EVP_VerifyFinal: signature does not verify errno=18')
(u'evp_signatures.c:368(xmlSecOpenSSLEvpSignatureVerify)', u'obj=rsa-sha256 msg=details=EVP_VerifyFinal: signature does not verify errno=18')
(u'evp_signatures.c:368(xmlSecOpenSSLEvpSignatureVerify)', u'obj=rsa-sha256 msg=details=EVP_VerifyFinal: signature does not verify errno=18')
(u'evp_signatures.c:368(xmlSecOpenSSLEvpSignatureVerify)', u'obj=rsa-sha256 msg=details=EVP_VerifyFinal: signature does not verify errno=18')
(u'evp_signatures.c:368(xmlSecOpenSSLEvpSignatureVerify)', u'obj=rsa-sha256 msg=details=EVP_VerifyFinal: signature does not verify errno=18')
I put version 3.0 on the server and printed the errors in the log:
2024-06-24T12:42:30 INFO my.product signatures.c:492(xmlSecOpenSSLEvpSignatureVerify)
------
2024-06-24T12:42:30 INFO my.product obj=rsa-sha256 subject=EVP_VerifyFinal msg=signature do not match errno=18
------
2024-06-24T12:42:30 INFO my.product signatures.c:492(xmlSecOpenSSLEvpSignatureVerify)
------
2024-06-24T12:42:30 INFO my.product obj=rsa-sha256 subject=EVP_VerifyFinal msg=signature do not match errno=18
------
2024-06-24T12:42:30 INFO my.product signatures.c:492(xmlSecOpenSSLEvpSignatureVerify)
------
2024-06-24T12:42:30 INFO my.product obj=rsa-sha256 subject=EVP_VerifyFinal msg=signature do not match errno=18
------
2024-06-24T12:42:30 INFO my.product signatures.c:492(xmlSecOpenSSLEvpSignatureVerify)
------
2024-06-24T12:42:30 INFO my.product obj=rsa-sha256 subject=EVP_VerifyFinal msg=signature do not match errno=18
------
2024-06-24T12:42:30 INFO my.product signatures.c:492(xmlSecOpenSSLEvpSignatureVerify)
------
2024-06-24T12:42:30 INFO my.product obj=rsa-sha256 subject=EVP_VerifyFinal msg=signature do not match errno=18
------
2024-06-24T12:42:30 INFO my.product signatures.c:492(xmlSecOpenSSLEvpSignatureVerify)
------
2024-06-24T12:42:30 INFO my.product obj=rsa-sha256 subject=EVP_VerifyFinal msg=signature do not match errno=18
------
2024-06-24T12:42:30 INFO my.product signatures.c:492(xmlSecOpenSSLEvpSignatureVerify)
------
2024-06-24T12:42:30 INFO my.product obj=rsa-sha256 subject=EVP_VerifyFinal msg=signature do not match errno=18
------
2024-06-24T12:42:30 INFO my.product signatures.c:492(xmlSecOpenSSLEvpSignatureVerify)
------
2024-06-24T12:42:30 INFO my.product obj=rsa-sha256 subject=EVP_VerifyFinal msg=signature do not match errno=18
It appears that no certificate in the metadata can validate the response.
Wesley Barroso Lopes via Plone Community wrote at 2024-6-24 13:59 +0000:
...
(u'evp_signatures.c:368(xmlSecOpenSSLEvpSignatureVerify)', u'obj=rsa-sha256 msg=details=EVP_VerifyFinal: signature does not verify errno=18')
Does this give any hints as to what it could be?
The repetition of the error message is likely caused by the
trial of several certificates -- each trial likely gives one message.
You could look at line 368 of (xmlsec1 source file) "evp_signatures.c".
If you are lucky, you will find there information beyond
"signature does not verify".
But I think we can already say that the problem is not caused
by the certificates proper (no longer valid, bad subject, ...).
It is just that the public keys in those certificates are
unable to veriry the signature.
Are you sure, the metadata is fetched from the right URL?
You could look at the certificate content.
In the metadata the certificates are "base64" encoded.
Decoding them gives you the certificate in "DER" format.
You can use "openssl X509" to print the certificate content
in readable form.
A certificate is issued for a subject. Look at it and
check it may be your IDP.